You are here
Oracle CPU October 2017 - Java (WAF and Login/IAM)
Submitted on 18. October 2017 - 10:55 by rischi.
Last update on 20. October 2017 - 19:22.
Last update on 20. October 2017 - 19:22.
Keywords:
java, cpu, Oracle Critical Patch Update
Description:
The Oracle Critical Patch Update for October 2017 includes updates for Java SE [1] that fix several vulnerabilities.
Airlock WAF uses Java in the Configuration Center and in several add-on modules.
Airlock Login/IAM relies on a separately installed Java environment. This Java runtime environment is maintained by the system administrator.
Airlock WAF and Login/IAM are not affected.
Details
- CVE-2017-10388
Affects the Java Kerberos client, which is not used in Airlock WAF and Login/IAM. The Airlock Suite is therefore not vulnerable. - CVE-2017-10281
Affects Java deserialization. Airlock WAF and Login/IAM are not affected because deserialization is only performed on trusted data. - CVE-2017-10295
Affects applications using HttpURLConnection with attacker controlled URLs. Airlock WAF and Login/IAM are not affected because the URLs used with HttpURLConnection are trusted. - CVE-2017-10356
Affects Java Keystores and may allow password guessing attacks. Airlock WAF does not use Java Keystore files and is therefore not affected. The keystore files used by Airlock Login/IAM reside on the server and are therefore in a protected environment. - CVE-2017-10345
Affects Java Keystores and may allow high memory consumption. Airlock WAF does not use Java Keystore files and is therefore not affected. As Airlock Login/IAM only reads trusted Keystore files, it is not vulnerable. - CVE-2017-10355
Affects Java applications establishing an FTP connection. FTP is not used in Airlock WAF and Airlock Login/IAM. - CVE-2016-10165
Affects Java 2D which is not used by Airlock. - CVE-2017-10110, CVE-2017-10089, CVE-2017-10086, CVE-2017-10096, CVE-2017-10101, CVE-2017-10087, CVE-2017-10090, CVE-2017-10111, CVE-2017-10107, CVE-2017-10114, CVE-2017-10074, CVE-2017-10067, CVE-2017-10125, CVE-2017-10109, CVE-2017-10105, CVE-2017-10081, CVE-2017-10193
Only affect client deployments that run untrusted code or the Java Advance Management Console. Airlock WAF and Login/IAM are not affected.
Resolution:
No action required for Airlock WAF, Airlock WAF add-on modules and Airlock Login/IAM
General Advice:
- We recommend regular updates of the Java SE installation used by Airlock Login/IAM.
- We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
No action required